Cybersecurity Norms and the Public Private Partnership: Promoting Trust and Security in Cyberspace

This week I participated in the Budapest Conference on Cyberspace 2012  and also spoke at the Atlantic Council’s evening event  entitled “Toward a Secure Cyber-Future: Building a Public-Private Partnership for Cybersecurity Norms.”[1]  During both events, I stressed the importance of public-private partnership at the international level and the need to ensure that the private sector had a voice in the key discussions occurring around confidence-building measures and cybersecurity norms.

Cybersecurity policy is increasingly an international challenge. From 2000-2010 much of cybersecurity policy development has occurred within nation states and, in many instances, the policy development process leveraged public-private partnerships.

To date, most international discussions on cybersecurity have been largely between governments.  This is the right starting place, as governments need to think through the cybersecurity implications of a connected world. Today industry creates and operates most of the infrastructure that enables cyberspace. Industry continues to innovate and build best practices and technical cybersecurity norms including: vulnerability disclosure management, secure development, security incident response, and risk management. Therefore, these global conversations on cybersecurity would also benefit from a private sector perspective that can help governments think through the technical challenges and priorities involved in securing billions of customers using the Internet around the world.

Beginning in 2010, there was an increase in the international debate about Internet Governance along with the subsequent efforts focusing on cybersecurity norms and the need for greater technology policy harmonization to support innovation and increased trade.

Figure 1 below illustrates the increasingly international scope of cybersecurity-related policy and the need for great public-private partnership at the international level.


 Figure 1: Cybersecurity Policy Evolutionary Curve

The past two years have been particularly noteworthy with respect to the expansion of dialogue to “build and sustain an environment in which norms of responsible behavior guide states’ actions, sustain partnerships, and support the rule of law in cyberspace.”[1] This is an important debate, and it is critical that governments keep this dialogue open and moving forward.  The Budapest Conference comes at a critical time in the government discussion about cybersecurity norms as it provides a multilateral forum and the opportunity to create an inclusive process going forward.

The road from Budapest to the next conference in Seoul allows for governments and the private sector to work together to understand and shape confidence-building measures and normative behaviors. This collaboration can support integrity, stability, and security while ensuring continued innovation and growth in cyberspace.

Microsoft commends the organizers of the Budapest Conference on cyberspace in October 2012 and those preparing the Seoul conference on cyberspace 2013 for their dedicated efforts. Moving forward, we call upon (1) the private sector building and operating the infrastructure of cyberspace to work together with governments as they develop a common collaborative approach to cybersecurity norms; and (2) governments to embrace the private sector in dialogue leading to the Seoul Conference on Cyberspace in 2013 as well as other fora.

About the Author
Matt Thomlinson

Vice President, Microsoft Security

Matt Thomlinson is Vice President of Security at Microsoft and leads the Microsoft Security Engineering Center (MSEC), the Microsoft Security Response Center (MSRC) and Global Security Strategy & Diplomacy (GSSD) and internal Network Security (NetSec). His teams are responsible for Read more »